Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

unarchive_cmd with Java on a Windows system

SK8
Explorer
‎11-08-2017 05:10 AM

Hello,
I have a question for the property unarchive_cmd. I want to parse a textfile and recombine info to a new Log before indexing data.

props.conf

[source::C:\\Users\\...\\testlog\\...txt]
unarchive_cmd = java -jar LogConverter.jar

The command is never run. Does anybody have any ideas?

0 Karma
Reply

Martin_Doering
Explorer
‎01-09-2018 06:31 AM

I finally got this running on Splunk 6.6.4. The following is required:

  1. invalid_cmd=archive needs to be included in the source stanza (not in the sourcetype stanza as stated in the docs).
  2. The jar archive must be specified with its full absolute path.
  3. However, this file path must not contain spaces nor quotation marks. This makes the standard path of "C:\Program Files\SplunkUniversalForwarder\..." impossible to use. I had to change this to C:\Progra~1\SplunkUniversalForwarder\... to omit both spaces and quotation marks.

The only difference of my configuration to the problem stated in the question is that I do not use runnable jar files, so my Java call is java -cp C:\Progra~1\SplunkUniversalForwarder\... CLASS_NAME.

I have deployed this to a Windows Universal Forwarder that in turn forwards the parsed data to a Linux Heavy Forwarder. On the HF, I perform some additional field extractions from the file name (which is not available for the unarchive_cmd). So on the UF, props.conf only contains source stanzas, and on the HF, props.conf only contains sourcetype stanzas.

Reply

Martin_Doering
Explorer
‎12-04-2017 05:45 AM

Same question from my side. I got this running on a Linux universal forwarder, but by a Windows universal forwarder, the command is never run (knowing that because the Java could would otherwise write to a log file).

splunkd.log shows that the archive is processed ("Finishied processing file ..." messages from the ArchiveProcessor), so the "invalid_cause = archive" setting is working.

0 Karma
Reply

Martin_Doering
Explorer
‎12-04-2017 06:01 AM

Made some progress: I now see some warnings of the "ArchiveContext" component:
Command cmd="java -cp "C:\Program Files\SplunkUniversalForwarder\etc\apps\bin.jar" " for archive= failed: exited with code 1.

Need to find out what this is about. My own code does not exit with status code 1 (but rather with 0 or negative numbers).

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
Top